b"                                                     u.s. OFFICE OF PERSONNEL MANAGEMENT\n                                                                OFFICE OF THE INSPECTOR GENERAL\n                                                                                 OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report\n\nSubject:\n\n\n\n\n   AUDIT OF THE INFORMATION SECURITY\n\n POSTURE OF THE U.S. OFFICE OF PERSONNEL\n\n     MANAGEMENT'S USAJOBS SYSTEM\n\n                  FY 2012\n\n                                          Report No. 4A-HR-OO-12-037\n\n\n                                         Date:                   July 26, 2012\n\n\n\n\n                                                          --CAUTION-\xc2\xad\nThis audit report has been distributed to Federal officials who arc responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (I811.S.C. 1905). Therefore. while this audit report is available\nunder the Freedom of Information Act and made available to the public on the GIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distrihuted eopy.\n\x0c                         UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                          Washington, DC 20415\n\n\n  Oftice of the\nInspector General\n\n\n\n\n                                          Audit Report\n\n\n\n                            u.s. OFFICE OF PERSONNEL MANAGEMENT\n\n                         AUDIT OF THE INFORMATION SECURITY POSTURE\n\n                        OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S\n\n                                         USAJOBS SYSTEM\n\n                                             FY 2012\n\n\n\n                                      WASHINGTON, D.C.\n\n\n\n\n\n                                 Report No. 4A-HR-OO-12-037\n\n\n                                  Date:           07/26/12\n\n\n\n\n                                                                 :2{/C ~---__\n                                                                 Michael R. Esser\n                                                                 Assistant Inspector General\n                                                                   for Audits\n\n\n\n\n        www.op m.g ov                                                                www.u sajob s.g ov\n\x0c                           UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                                Washington, DC 20415\n\n\n  Office of the\nInspector General\n\n\n\n\n                                          Executive Summary\n\n\n                              U.S. OFFICE OF PERSONNEL MANAGEMENT\n\n\n                         AUDIT OF THE INFORMATION SECURITY POSTURE\n\n                        OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S\n\n                                         USAJOBS SYSTEM\n\n                                             FY 2012\n\n\n\n                                             WASHINGTON, D.C.\n\n\n\n\n\n                                      Report No. 4A-HR-OO-12-037\n\n\n                                       Date:           07/26/12\n\n\n\n      The goal of FishN et Security, Inc.' s assessment was to thoroughly document the overall security\n      posture of USA JOBS through a series of tests, to include:\n      \xe2\x80\xa2     Network architecture review;\n      \xe2\x80\xa2     Internal vulnerability assessment including server and database configuration review;\n      \xe2\x80\xa2     External vulnerability and web application assessment;\n      \xe2\x80\xa2     Source code review; and\n      \xe2\x80\xa2     Mobile application security assessment.\n\n      Overall, USAJOBS was found to be in good security standing and does not appear to pose any\n      significant risk to OPM or its constituents. There were no critical vulnerabilities discovered\n      during the multi-discipline assessment that required immediate escalation. Additionally, the\n      large majority of issues found from each assessment phase were of the medium to\n      lowlinformational severity ranking. Low-severity rated vulnerabilities comprised nearly half of\n      the adverse findings.\n\n\n\n\n          www.opm.gov                                                                         www.usajobs.gov\n\x0cFishNet and the OIG believe that there is clear intent by OPM to ensure the confidentiality,\nintegrity, and availability of the USAJOBS environment. Throughout the testing it became\nobvious that there were some security weaknesses, but nothing that put the USAJOBS\nenvironment at immediate risk. Many of the findings are similar to those found in other\norganizations facing similar operational challenges.\n\nHowever, throughout the testing of the USAJOBS environment some concerns about the design\nof the supporting infrastructure were realized. The testers discovered that the domain hosting\nUSAJOBS is shared with other services and applications hosted by OPM\xe2\x80\x99s Macon data center.\n\nUSAJOBS is widely considered the flagship information system at OPM. Any application with\nthe size, visibility, and public importance of USAJOBS should be operating in a dedicated,\nmulti-tiered environment, thereby creating a defense-in-depth strategy for protecting the\nconfidentiality, integrity, and availability of system resources and data.\n\n\n\n\n                                                ii\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\nExecutive Summary ......................................................................................................................... i\nIntroduction and Background ..........................................................................................................1\nObjectives ........................................................................................................................................1\nScope and Methodology ..................................................................................................................1\nReporting and Finding Severity .......................................................................................................2\nCompliance with Laws and Regulations..........................................................................................3\nResults ..............................................................................................................................................4\n   Overall Security Assessment Summary .......................................................................................4\n   A.      Network Architecture...........................................................................................................5\n   B.      Internal Network Assessment ..............................................................................................6\n   C.      External Network and Web Application Asessment ...........................................................7\n   D.      Source Code Review ............................................................................................................8\n   E.      Mobile Application Assessment ..........................................................................................9\nMajor Contributors to this Report ..................................................................................................11\n\n\nAppendix: The Office of the Chief Information Officer's June 14, 2012 response to the draft\n          audit report, issued May 16, 2012.\n\x0c                            Introduction and Background\nUSAJOBS is the Federal Government\xe2\x80\x99s official one-stop source for Federal jobs and\nemployment information. The USAJOBS website provides public notice of Federal employment\nopportunities to Federal employees and United States citizens. USAJOBS is cooperatively\nowned by the Federal Chief Human Capital Officer (CHCO) Council.\n\nIn 2003, OPM contracted with Monster Government Services (MGS) to host and maintain the\nUSAJOBS system. In 2010, OPM and the CHCO Council made the decision to not renew its\ncontract with MGS and to bring USAJOBS in-house at OPM. One element of this decision was\nbased on the fact that two separate security breaches at MGS led to the disclosure of sensitive\nUSAJOBS data.\n\nIn October 2011, OPM launched USAJOBS 3.0. This new version of USAJOBS was developed\nby various members of the CHCO council with primary contributions from OPM, the\nDepartment of Homeland Security, and the Department of Defense. USAJOBS 3.0 is hosted at\nOPM\xe2\x80\x99s data center in Macon, Georgia.\n\n                                          Objectives\n\nThe objectives of this audit were to assess the information security controls of USAJOBS and to\nevaluate OPM\xe2\x80\x99s overall efforts to protect the sensitive data processed by USAJOBS. These\nobjectives were met by reviewing the following elements of USAJOBS:\n\n\xe2\x80\xa2   Network architecture;\n\xe2\x80\xa2   Internal vulnerabilities including server and database configurations;\n\xe2\x80\xa2   External vulnerabilities and web application;\n\xe2\x80\xa2   Source code; and,\n\xe2\x80\xa2   Mobile application security.\n\n                                Scope and Methodology\n\nThis performance audit was conducted by the Office of the Inspector General (OIG) in\naccordance with Government Auditing Standards, issued by the Comptroller General of the\nUnited States. Accordingly, the audit included an evaluation of related policies and procedures,\ncompliance tests, and other auditing procedures that we considered necessary. The audit\ndocumented the overall security posture of USAJOBS as of April 2012.\n\nWe considered the USAJOBS internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\n\n\n\n                                                 1\n\x0cTo accomplish our objectives, we contracted with an information security professional services\nprovider, FishNet Security, Inc. (FishNet) to perform a thorough vulnerability assessment and\npenetration test of the USAJOBS application and network environment.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of\nUSAJOBS are located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit would not\nnecessarily disclose all significant matters in the internal control structure, we do not express an\nopinion on the USAJOBS system of internal controls taken as a whole.\n\nThe audit was conducted from February through April 2012 in OPM\xe2\x80\x99s Washington, D.C. office\nand FishNet\xe2\x80\x99s offices in Herndon, Virginia and Salt Lake City, Utah.\n\n                           Reporting and Finding Severity\nFishNet provided OPM with detailed reports of its findings that referenced specific server names,\nInternet protocol (IP) addresses, web pages, etc. Due to the highly sensitive nature of FishNet\xe2\x80\x99s\nreports, they will be kept confidential and will not be incorporated into the OIG reporting\nprocess.\n\nWe submitted a draft audit report to the Office of the Chief Information Officer (OCIO) to elicit\ntheir comments on our conclusions. The OCIO provided consolidated comments that included\ninput from two of its divisions: the USAJOBS Program Office that manages the system and the\nHuman Resources Tools and Technology (HRTT) division that supports the system\xe2\x80\x99s technical\nenvironment. These comments on the draft report were considered in preparing the final report\nand are attached as the Appendix.\n\nThe draft audit report contained an attachment with findings and recommendations related to the\nspecific technical vulnerabilities detected during this audit. Although the attachment does not\nhave the same level of detail as FishNet\xe2\x80\x99s reports, it does contain sensitive information and\ntherefore will not be included in this final audit report. Distribution of this document was limited\nto the USAJOBS program office, the OCIO, and to OPM\xe2\x80\x99s Internal Oversight and Compliance\nOffice.\n\nIn performing vulnerability assessments and other related work, FishNet\xe2\x80\x99s information security\nassessors rated the severity of its findings. In defining its severity ratings, FishNet combines its\nown experience from years in the information security professional services industry with widely\nadopted information assurance industry standards and methodologies in the application of impact\nratings to discovered vulnerabilities. The three levels of severity (low, medium, high) are\ndefined below:\n\xe2\x80\xa2   Low \xe2\x80\x93 limited impact; confined to a set of resources;\n\xe2\x80\xa2   Medium \xe2\x80\x93 tangible impact; potential damage to data and resources; and,\n\xe2\x80\xa2   High \xe2\x80\x93 significant impact; probable damage to data and resources.\n\n\n\n\n                                                  2\n\x0c                   Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether OPM\xe2\x80\x99s management of\nUSAJOBS is consistent with applicable standards. Nothing came to the OIG\xe2\x80\x99s attention during\nthis review to indicate that OPM is in violation of relevant laws and regulations.\n\n\n\n\n                                             3\n\x0c                                             Results\nThe sections below provide a high-level summary of FishNet Security, Inc.\xe2\x80\x99s (FishNet) security\nvulnerability assessment of OPM\xe2\x80\x99s USAJOBS information system. Due to the sensitive nature\nof the information, the specific findings and recommendations related to the issues identified\nwere communicated separately to the OCIO.\n\nOverall Security Assessment Summary\n\nThe goal of FishNet\xe2\x80\x99s assessment was to thoroughly document the overall security posture of\nUSAJOBS through a series of tests, to include:\n\xe2\x80\xa2   Network architecture review;\n\xe2\x80\xa2   Internal vulnerability assessment including server and database configuration review;\n\xe2\x80\xa2   External vulnerability and web application assessment;\n\xe2\x80\xa2   Source code review; and\n\xe2\x80\xa2   Mobile application security assessment.\n\nOverall, USAJOBS was found to be in good security standing and does not appear to pose any\nsignificant risk to OPM or its constituents. There were no critical vulnerabilities discovered\nduring the multi-discipline assessment that required immediate escalation. Additionally, the\nlarge majority of issues found from each assessment phase were of the medium to\nlow/informational severity ranking. Low-severity rated vulnerabilities comprised nearly half of\nthe adverse findings.\n\nFishNet detected three vulnerabilities that it believes warrant a high-severity vulnerability rating.\nOf these three high-severity vulnerabilities, two dealt with the problem of improper input\nvalidation; one instance on the main USAJOBS website and one on the iOS mobile application.\nThe other high-severity vulnerability related to parameter-based redirection that could lead a user\nto a malicious website. Therefore it could be reasonably said that only two significantly distinct\nhigh-severity vulnerabilities were encountered.\n\nConcerning remediation efforts, the vast majority of issues encountered with USAJOBS are\nconsidered to be of a minimal level of effort (LOE) to correct. The highest LOE vulnerability\nwas concerned with the overall topology of the USAJOBS application, and in FishNet\xe2\x80\x99s and the\nOIG\xe2\x80\x99s opinions, ranks among the most significant findings. While immediate attention should\nbe paid to the two distinct high-severity vulnerabilities, we believe that OPM should also not\nwait to address what appears to be an undesirable shared infrastructure and move to a dedicated,\nsegregated topology, which cleanly separates the development and production environments.\n\nFishNet and the OIG believe that there is clear intent by OPM to ensure the confidentiality,\nintegrity, and availability of the USAJOBS environment. Throughout the testing it became\nobvious that there were some security weaknesses, but nothing that put the USAJOBS\nenvironment at immediate risk. Many of the findings are similar to those found in other\norganizations facing similar operational challenges.\n\nThe results of each element of this security assessment are outlined below.\n\n\n                                                 4\n\x0cOCIO Response:\n\n\xe2\x80\x9cThe USAJOBS Program Office and HRTT have identified the following points of\nclarification:\n    \xe2\x80\xa2 Low-severity rated vulnerabilities and informational items comprised more than half of\n        the adverse findings reported by the independent assessor.\n    \xe2\x80\xa2 The independent assessor stated that the overall security of USAJOBS was sound and a\n        credit to the organization\xe2\x80\x99s security assessment and authorization process and the hard\n        work of the personnel involved. In addition, the assessor noted that the mobile\n        application was designed and implemented as securely as can reasonably be achieved\n        on a mobile platform.\n    \xe2\x80\xa2 At the conclusion of the multi-discipline assessment, the USAJOBS environment had\n        no security weaknesses that put the system assets, OPM, or the public at immediate\n        risk. The identified findings are similar to those found in other organizations facing\n        similar operational challenges.\xe2\x80\x9d\n\nOIG Reply:\n\nWe acknowledge the work that the USAJOBS Program Office and HRTT have done to secure\nthe USAJOBS system. We would also like to highlight the fact that the Program Office and\nHRTT have already remediated many of the specific audit recommendations that were outlined\nin the draft report, including all three related to high-severity vulnerabilities.\n\nThe OCIO\xe2\x80\x99s comments in response to our draft report (see Appendix) reference the number of\naudit recommendations that have been successfully implemented since the draft report was\nissued. Please note that the number of recommendations that we list in this report as remaining\nopen does not exactly match the number referenced by the OCIO in the Appendix. All\ndiscrepancies are the result of either 1) the OIG requesting additional evidence or monitoring\nbefore supporting closure of the recommendation, or 2) the OIG supporting closure of a\nrecommendation based on the OCIO\xe2\x80\x99s acceptable use of the \xe2\x80\x9crisk acceptance\xe2\x80\x9d process.\n\nA. Network Architecture\n\n   Throughout the testing of the USAJOBS environment some concerns about the design of the\n   supporting infrastructure were realized. The testers discovered that the domain hosting\n   USAJOBS is shared with other services and applications hosted by OPM\xe2\x80\x99s Macon data\n   center. There were questions about how segregated the application environments actually\n   were based on the shared network address among the DMZ, Private, and OPM-MACON\n   environments. Further analysis showed the integration of the USAJOBS test and\n   development systems within the different environments.\n\n   This lack of segregation lends itself to a higher probability of data leakage, unauthorized\n   access to sensitive data, or conflicts of interest between the development team and the\n   production environment. It is critical to consider the interconnectivity of the different\n\n\n                                                5\n\x0c   application environments and ensure that user, administrative, and role-based access is\n   granted based on least privilege and separation of duties.\n\n   USAJOBS is widely considered the flagship information system at OPM. Any application\n   with the size, visibility, and public importance of USAJOBS should be operating in a\n   dedicated, multi-tiered environment. A multi-tiered environment helps ensure that access to\n   the appropriate resource is granted to the appropriate requestor. It seeks to separate the front-\n   end, mid-level, and back-end services, thereby creating a defense-in-depth strategy for\n   protecting the confidentiality, integrity, and availability of system resources and data.\n\n   In addition to segregating the USAJOBS environment, we recommend that OPM analyze\n   what other information systems hosted at the Macon data center warrant segregation, with\n   particular attention paid to Employee Express (a large payroll/personnel system used\n   throughout the federal government).\n\n   OCIO Response:\n\n   \xe2\x80\x9cThe USAJOBS web site was designed and deployed as a multi-tiered system to include a\n   web service tier (front-end), application tier (mid-level), and database tier (back-end\n   services). The tiers are separated across logical networks and segregation is enforced by\n   dedicated security service devices (firewalls) with defined network traffic management\n   rules.\n\n   A plan has already been developed to further segregate the Macon private network into\n   application specific networks for the major hosted applications and will define separate\n   development/test environment networks for those applications.\xe2\x80\x9d\n\n   OIG Reply:\n\n   We agree that OPM\xe2\x80\x99s network environment has adequate firewall protection from external\n   threats. However, the current firewall structure does not adequately protect USAJOBS from\n   internal threats. We will continue to monitor the OCIO\xe2\x80\x99s efforts to further segregate the\n   USAJOBS environment.\n\nB. Internal Network Assessment\n\n   The internal network assessment was performed using a variety of automated tools and\n   manual techniques to determine potential threats to the USAJOBS environment from an\n   attacker with access to OPM\xe2\x80\x99s network.\n\n   This review covered a specific subset of USAJOBS servers, databases, and network\n   infrastructure. The process consists of the four phases described below:\n   \xe2\x80\xa2   Mapping and Target Analysis - determined the USAJOBS visibility from the internal\n       perspective, both as an unauthenticated user and a fully authenticated administrative user,\n       correlated differences between the user types, and identified potential vulnerabilities.\n\n\n\n                                                6\n\x0c       This phase provided insight into both the potential of a successful attack and the\n       likelihood that system administrators would detect such an attack.\n\n   \xe2\x80\xa2   Vulnerability Measurement and Data Collection - the exploitation of network and system\n       vulnerabilities to systematically measure the secure state of the overall environment. The\n       vulnerability data was measured and recorded for each system tested while making every\n       effort to not cause disruption or interference to the systems being probed.\n\n   \xe2\x80\xa2   Data Analysis and Security Design Review - compared test results with operational and\n       security policy requirements to identify deficiencies and develop recommendations.\n\n   \xe2\x80\xa2   Report and Recommendations - provides OPM with an assessment of the existing\n       security posture and actions to be taken to improve any deficiencies.\n\n   FishNet's internal network assessment identified five medium-severity and two low-severity\n   vulnerabilities. It is important to note that FishNet categorizes individual findings. For\n   example, three systems each having three missing security patches would be documented\n   into a single \xe2\x80\x9cMissing Patch\xe2\x80\x9d finding.\n\n   Many of the findings in this section revolved around the concepts of patching and account\n   management. These are on-going challenges for nearly all organizations since the IT systems\n   and users that support operations are continuously changing. It is for this reason that these\n   areas undergo a high level of scrutiny to ensure that account credentials do not exceed the\n   necessary level of access and that account credentials are changed periodically, even for\n   service accounts.\n\n   OCIO Response:\n\n   The OCIO provided the OIG with descriptions and evidence of the work it has done to\n   implement the audit recommendations related to the internal network assessment.\n\n   OIG Reply:\n\n   We acknowledge that the OCIO has successfully remediated four medium and two low-\n   severity findings. Only a single medium-severity finding remains open in this section. The\n   OCIO has taken steps to address this recommendation, and we have asked for additional\n   evidence before supporting closure of this item.\n\nC. External Network and Web Application Assessment\n\n   The external network and web application assessment was performed using a variety of\n   automated tools and manual techniques to determine the potential threat to the USAJOBS\n   environment from an external threat perspective. FishNet\xe2\x80\x99s external assessment followed the\n   same four-phase approach described in the internal assessment section above.\n\n\n\n\n                                                7\n\x0c   The external network assessment identified one high-severity, three medium-severity, eight\n   low-severity and two informational findings.\n\n   The high-severity vulnerability relates to a USAJOBS parameter which is not validated by\n   the application. A malicious user would be able to launch a phishing attack to trick a user to\n   follow a crafted URL to a site of their choosing. For example, the malicious site could\n   prompt the user to re-enter their USAJOBS username and password and thereby provide the\n   user\xe2\x80\x99s credentials to the attacker.\n\n   One medium-severity vulnerability relates to several web pages on the webadmin site that do\n   not validate a user\xe2\x80\x99s role. This permits a user to execute application logic that is beyond their\n   role to execute. USAJOBS also utilizes a third party survey service whose administration\n   pages are not appropriately secured. Two session cookies were also identified which do not\n   set the secure flag. Not setting the secure flag permits the session cookie to be transmitted to\n   unencrypted portions of the site over the Internet.\n\n   Several low-severity findings relate to an attacker\xe2\x80\x99s ability to enumerate valid user accounts\n   and session cookies not being bound to a user\xe2\x80\x99s IP address.\n\n   OCIO Response:\n\n   The OCIO provided the OIG with descriptions and evidence of the work it has done to\n   implement the audit recommendations related to the external network and web application\n   assessment.\n\n   OIG Reply:\n\n   We acknowledge that the OCIO has successfully remediated one high, one medium, and four\n   low-severity findings. Two medium and four low-severity findings remain open in this\n   section. These open items are either prioritized for upcoming releases of USAJOBS or\n   pending a program office decision of remediation or risk acceptance.\n\nD. Source Code Review\n\n   The source code review was conducted by a manual review of the USAJOBS code base and\n   by using IBM\xe2\x80\x99s AppScan Source Edition, a leading commercial static code analysis tool.\n   FishNet manually reviewed all AppScan Source Edition results to validate findings and\n   eliminate false positives.\n\n   During the source code review, FishNet identified one high-severity, three medium-severity,\n   and three low-severity vulnerabilities.\n\n   The high-severity vulnerability relates to a systemic lack of input validation and output\n   encoding, including two pages vulnerable to a cross-site scripting (XSS) attack. Exploitation\n   of this vulnerability would require the attacker to send USAJOBS users a phishing email\n   containing a link with the malicious code attached.\n\n\n\n                                                8\n\x0c   The medium-severity findings are comprised of the ability to lockout a user account through\n   the forgot-password functionality, and internal credentials being stored insecurely. These\n   issues may expose USAJOBS and its users to other types of attacks but do not result in direct\n   compromise.\n\n   The low-severity findings include the disclosure of sensitive information, insufficient\n   randomization generating some encryption tokens, and some pages including unnecessary\n   HTML comments.\n\n   OCIO Response:\n\n   The OCIO provided the OIG with descriptions and evidence of the work it has done to\n   implement the audit recommendations related to the source code review.\n\n   OIG Reply:\n\n   We acknowledge that the OCIO has successfully remediated all but one medium and one\n   low-severity finding in this section. Of these two remaining findings, one is prioritized for\n   an upcoming release of USAJOBS and the other is pending a program office decision of\n   remediation or risk acceptance.\n\nE. Mobile Application Assessment\n\n   The mobile application security assessment of the USAJOBS iOS application was focused on\n   identifying potential security vulnerabilities that, if unresolved, might undermine the security\n   of the USAJOBS system. FishNet assessed the USAJOBS iOS application using both an\n   unauthenticated (i.e., \xe2\x80\x9cexternal hacker\xe2\x80\x9d) scenario as well as an authenticated (i.e., \xe2\x80\x9cmalicious\n   user\xe2\x80\x9d) scenario.\n\n   The mobile assessment identified one high-severity, two medium-severity and three low-\n   severity vulnerabilities.\n\n   The high-severity issue identified relates to a lack of input validation or output encoding on\n   user input before it is passed back to the backend web service. This is the same high-\n   severity issue identified on the main USAJOBS application during the source code review.\n   This vulnerability, also known as XML Injection, may be used by an attacker to further\n   escalate their attempts at subverting any protections built into the application. At a\n   minimum, it causes multiple requests to be made to the backend web service and interrupts\n   the flow of the application.\n\n   The medium-severity vulnerabilities relate to the exposure of configuration information for\n   the backend web services and the ability for attackers to guess valid usernames using the\n   USAJOBS iOS backend web service through the error messages returned due to account\n   lockout. All medium-severity issues should be reviewed in terms of user experience to\n   determine if the sensitivity of the information requires additional protections to be used.\n\n\n\n                                                9\n\x0cThe low-severity vulnerabilities are weaknesses within the application that may give an\nattacker a foothold to limited amounts of user or architectural information. None currently\nallow the compromise of the USAJOBS iOS application, but may help an attacker in\ntargeting application users. These vulnerabilities include the exposure of application\nusernames to attackers with physical access to the iOS device, the lack of an automatic\nsession timeout, and the exposure of platform information on backend web service requests.\n\nOCIO Response:\n\nThe OCIO provided the OIG with descriptions and evidence of the work it has done to\nimplement the audit recommendations related to the mobile application assessment.\n\nOIG Reply:\n\nWe acknowledge that the OCIO has successfully remediated all but one low-severity finding\nin this section. Remediation of this last finding is pending a program office decision of\nremediation or risk acceptance.\n\n\n\n\n                                           10\n\x0c                       Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                    , Senior Team Leader\n\n\n\n\n                                              11\n\x0c                                           Appendix\n\nMEMORANDUM FOR:\n                               Chief, Information Systems Audits Group\n\nFROM:                          MATTHEW E. PERRY\n                               Chief Information Officer\n                               USAJOBS 3.0 Authorizing Official\n\nSUBJECT:                       Response to Draft Report:\n                               Audit of the Information Security Posture of the U.S. Office of\n                               Personnel Management\xe2\x80\x99s USAJOBS System (Report No. 4A-HR-\n                               00-12-037)\n\nThe Office of Personnel Management (OPM) USAJOBS Program Office and Human Resource\nTools and Technology (HRTT) division acknowledge and appreciate the work of the Office of\nInspector General (OIG) and the independent assessor to identify potential information security\nrisks and opportunities to improve the security posture of the USAJOBS information system.\nThis memo serves as official response to the draft report content.\n\nOverall Security Assessment Summary\nThe USAJOBS Program Office and HRTT have identified the following points of clarification:\n   \xe2\x80\xa2 Low-severity rated vulnerabilities and informational items comprised more than half of\n       the adverse findings reported by the independent assessor.\n   \xe2\x80\xa2 The independent assessor stated that the overall security of USAJOBS was sound and a\n       credit to the organization\xe2\x80\x99s security assessment and authorization process and the hard\n       work of the personnel involved. In addition, the assessor noted that the mobile\n       application was designed and implemented as securely as can reasonably be achieved on\n       a mobile platform.\n   \xe2\x80\xa2 At the conclusion of the multi-discipline assessment, the USAJOBS environment had no\n       security weaknesses that put the system assets, OPM, or the public at immediate risk.\n       The identified findings are similar to those found in other organizations facing similar\n       operational challenges.\n\nNetwork Architecture\nThe USAJOBS web site was designed and deployed as a multi-tiered system to include a web\nservice tier (front-end), application tier (mid-level), and database tier (back-end services). The\ntiers are separated across logical networks and segregation is enforced by dedicated security\nservice devices (firewalls) with defined network traffic management rules.\n\n\n\n\n                                                 1\n\x0cA plan has already been developed to further segregate the Macon private network into\napplication specific networks for the major hosted applications and will define separate\ndevelopment/test environment networks for those applications.\n\nInternal Network Assessment\nThe current remediation status of documented findings is as follows:\n    \xe2\x80\xa2 Four (4) recommendations have been implemented to remediate findings. Corresponding\n        evidence has been provided to the OIG.\n    \xe2\x80\xa2 One (1) recommendation is related to a previously identified and mitigated issue\n        regarding patching of embedded non-Microsoft third party software. Evidence of\n        mitigation has been provided to the OIG.\n    \xe2\x80\xa2 Two (2) recommendations require further analysis to determine the feasibility of full\n        implementation.\n\nHRTT patches non-Microsoft software products within the USAJOBS system unless doing so\nwould severely compromise system performance and availability. When patching cannot be\nachieved due to technical constraints, compensating controls are deployed to mitigate risk. It is\nmore accurate to state that formal patch management policy and standard operating procedures\nshould be expanded to include patching and updating non-Microsoft technologies supporting\nUSAJOBS.\n\nExternal Network and Web Application Assessment\nThe current remediation status of documented findings is as follows:\n   \xe2\x80\xa2 Five (5) recommendations have been implemented to remediate findings. Corresponding\n       evidence has been provided to the OIG.\n   \xe2\x80\xa2 Five (5) recommendations are partially implemented or planned for a future release.\n   \xe2\x80\xa2 Two (2) recommendations require further analysis to determine the feasibility of full\n       implementation.\n   \xe2\x80\xa2 Duplicate recommendations from other sections of the report have been noted.\n\nSource Code Review\nThe current remediation status of documented findings is as follows:\n   \xe2\x80\xa2 Five (5) recommendations have been implemented to remediate findings. Corresponding\n       evidence has been provided to the OIG.\n   \xe2\x80\xa2 One (1) recommendation is planned for a future release.\n   \xe2\x80\xa2 One (1) recommendation requires further analysis to determine the feasibility of full\n       implementation.\n\nMobile Application Assessment\nThe current remediation status of documented findings is as follows:\n   \xe2\x80\xa2 Three (3) recommendations are planned for a future release.\n   \xe2\x80\xa2 Three (3) recommendations require further analysis to determine the feasibility of full\n       implementation.\n   \xe2\x80\xa2 Duplicate recommendations from other sections of the report have been noted.\n\n\n                                      FOR OFFICIAL USE ONLY\n\x0c"